18.3.2.4. Insert a drop rule at the input filter

18.3.2.5. Delete a rule by number

18.3.2.6. Enable connection tracking

Since kernel version 2.6.20 IPv6 connection tracking is well supported and should be used instead of using stateless filter rules.

# ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

18.3.2.7. Allow ICMPv6

Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified

Accept incoming ICMPv6 through tunnels

# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT

Allow outgoing ICMPv6 through tunnels

# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT

Newer kernels allow specifying of ICMPv6 types:

# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT

18.3.2.8. Rate-limiting

Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like:

18.3.2.11. Protection against incoming TCP connection requests

VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use!

Block incoming TCP connection requests to this host

# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP

Block incoming TCP connection requests to hosts behind this router

# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP

Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.

18.3.2.12. Protection against incoming UDP connection requests

ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:

Block incoming UDP packets which cannot be responses of outgoing requests of this host

# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP

Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router

# ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP

18.3.3. Examples

18.3.3.1. Simple example for Fedora

Following lines show a simple firewall configuration for Fedora 6 (since kernel version 2.6.20). It was modfied from the default one (generated by system-config-firewall) for supporting connection tracking and return the proper ICMPv6 code for rejects. Incoming SSH (port 22) connections are allowed.